[英]Controlling access to docker registry with Sonatype nexus
In our current setup we are do proxy to entire docker hub to pull the images, but what we want is limit this proxy to only official indexes like ubuntu, apache etc. During configuration of repository there was this option to set custom index
for the repository, so my two questions are :在我们当前的设置中,我们会代理整个 docker hub 来拉取镜像,但我们想要的是将此代理限制为仅限官方索引,如 ubuntu、apache 等。在配置存储库期间,有此选项可以为存储库设置
custom index
,所以我的两个问题是:
custom index
option will I be able to achieve what I explained above?custom index
选项,我是否能够实现我上面解释的内容?https://hub.docker.com/_/centos/
for centos but it didn't worked.https://hub.docker.com/_/centos/
用于 centos,但没有奏效。 Please suggest how to go about this.请建议如何解决这个问题。
Yes, you can use a custom index to limit what's available in your repo.是的,您可以使用自定义索引来限制您的存储库中的可用内容。 To achieve that you have to deploy and maintain your own docker registry index service and use that when configuring your docker proxy repository.
为此,您必须部署和维护自己的 docker 注册表索引服务,并在配置 docker 代理存储库时使用它。
However, an easier solution would be to use a content selector to limit what's allowed to be access via your docker proxy repository while still using Docker Hub with it's original index.但是,一个更简单的解决方案是使用内容选择器来限制允许通过 docker 代理存储库访问的内容,同时仍然使用 Docker Hub 及其原始索引。
Using the simplified content selector solution is a bit hacky, but might work for you.使用简化的内容选择器解决方案有点麻烦,但可能对您有用。 Essentially you have to provide a whitelist (or a blacklist) in a form of a regex.
本质上,您必须以正则表达式的形式提供白名单(或黑名单)。 The implication of this solution is that users of your registry will still be able to search for any available image, because you can keep using the Docker Hub's index for simplicity.
此解决方案的含义是,您的注册表用户仍然可以搜索任何可用的映像,因为为了简单起见,您可以继续使用 Docker Hub 的索引。
path =~ '^/v2/library/(alpine|ubuntu).*$'
will only allow alpine
and ubuntu
to be downloaded. path =~ '^/v2/library/(alpine|ubuntu).*$'
将只允许下载alpine
和ubuntu
。 Now, the user you have created shall log into your registry, eg.现在,您创建的用户将登录到您的注册表,例如。
$ docker login nexus.local:8085
. $ docker login nexus.local:8085
。 That user will be authorised to pull both alpine
and ubuntu
(based on the content selector from step 2), but will fail to download anything else.该用户将被授权同时拉取
alpine
和ubuntu
(基于第 2 步中的内容选择器),但无法下载其他任何内容。
A sample succesful pull: $ docker pull nexus.local:8085/alpine Using default tag: latest latest: Pulling from alpine Digest: sha256:0873c923e00e0fd2ba78041bfb64a105e1ecb7678916d1f7776311e45bf5634b Status: Image is up to date for nexus.local:8085/alpine:latest
一个成功的拉取示例:
$ docker pull nexus.local:8085/alpine Using default tag: latest latest: Pulling from alpine Digest: sha256:0873c923e00e0fd2ba78041bfb64a105e1ecb7678916d1f7776311e45bf5634b Status: Image is up to date for nexus.local:8085/alpine:latest
A sample failed pull: $ docker pull nexus.local:8085/postgres Using default tag: latest Error response from daemon: unauthorized: access to the requested resource is not authorized
拉取失败示例:
$ docker pull nexus.local:8085/postgres Using default tag: latest Error response from daemon: unauthorized: access to the requested resource is not authorized
we are do proxy to entire docker hub to pull the images, but what we want is limit this proxy to only official indexes like ubuntu, apache
我们正在代理整个 docker hub 以拉取图像,但我们想要的是将此代理限制为仅限官方索引,如 ubuntu、apache
What I did was:我所做的是:
Mode:
ALLOW
Mode:
ALLOW
alpine
and centos
so I created two matches with:alpine
和centos
所以我创建了两个匹配项:
^/v2/library/centos.*$
^/v2/library/alpine.*$
Routing Rule
Routing Rule
That way all except centos and alpine are available from that docker proxy repo.这样,除了 centos 和 alpine 之外的所有内容都可以从该 docker 代理存储库中获得。 Pulling anything else results in "manigest unknown" error from docker.
拉取其他任何东西都会导致 docker 出现“manigest unknown”错误。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.